A large direct mail fulfillment provider discovered recently that users who connected to their z/OS FTP server using Internet Explorer (version 7 and newer) were shown the contents of the z/OS UNIX root folder after successful logon.

The customer discovered that, beginning with IE7, when a user would connect to their z/OS FTP server with IE, they were prompted for a user ID and password and then shown the contents of the z/OS UNIX root folder. When doing the same thing in Firefox, on the other hand, the user was shown the contents of the folder assigned to the user ID (which is what should happen).

Given the power available in FTP, the customer considered this to be a security exposure because they didn't want their users seeing the contents of the root folder, much less being able to manipulate them. The customer turned on some FTP/WatchDog-Z tracing and in a matter of a few minutes determined that the IE browser was issuing a "CD /" command after successfully logging on. Firefox did not issue this change directory command.

After diagnosing the situation, the customer was able to set up a RACF rule which is used by FTP/WatchDog-Z's SAF interface to disallow the command to change to the root directory. Now when users log on with IE, the change directory command fails and they no longer have access to the root folder.

In a matter of about 10 minutes, with the help of FTP/WatchDog-Z, the customer was able to figure out what the exposure was and set up FTP/WatchDog-Z to close the exposure from here on out.